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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


No 
In the subsection 'Who is this code for?’, it is stated that the code 


is for providers of information society services (ISS). In doing so, 
it appears to be suggesting that the code applies to all ISS, 
regardless of whether access is by an adult or a child. Although a 
level of clarification is made later in the paragraph, the reader 
does need to see the separate section on ‘services covered by this 
code’ to determine whether the code is applicable in their 
circumstances and context. 


The section uses ‘relevant’, a term from section 123(1) of the 
Data Protection Act 2018. However, the term lacks definition at 
this point in the code, and it not until the next section of the code 
that the term is interpreted. 


A reader would benefit from being able to decide in this section on 
whether or not the code applies to a particular ISS. 


Q2. Is the "Services covered by this code” section of the code clearly 
communicated? 


No 


The ICO appears to have substantially broadened the scope of 
the application of the code through its interpretation of Section 
123(1) of the Data Protection Act 2018. 


Section 123 of the DPA 2018 states that the code shall apply to 
"relevant information society services which are likely to be 
accessed by children.” The ICO has interpreted the term ‘relevant’ 
as meaning any ISS that process children’s personal data: 


‘Relevant’ ISS are those which involve the processing of personal 
data to which the GDPR applies. 


Such an interpretation is without consideration of particular ISS or 
categories of ISS that pose risks to children. The section quotes 
from Recital 38 of the GDPR, but does not pay particular regard to 
the risks that may arise from a child’s use of an ISS: Recital 38 
suggests the types of risks that need to be addressed, i.e. ‘the 
use of personal data of children for the purposes of marketing or 
creating personality or user profiles and the collection of personal 
data with regard to children when using services offered directly 
to a child.’ The ICO’s interpretation in the code is therefore 
neither risk-based nor proportionate. 


The breadth of the scope of the draft code means that news sites 
will be captured by the code; this is explicitly stated in the 
subsection 'What do you mean by an ‘information society 
service’?'. In extending the code to news sites, the publisher will 
face increased costs of age verification, diverting budgets that 
should be spent on journalism, enhancing readability and 
accessibility, and continuing publication. The broad scope will 
likely result in restricted access and reduced news coverage, a 
move that would be highly detrimental to society. 


A consequence therefore of the code as drafted is that it will 
inhibit news publisher rights and the rights of individuals for 
freedom of expression and information, under Article 10 of the 
European Convention of Human Rights. 


In the previous section, "About this code”, the code seeks to 
ensure that the rights of the child are supported. However, in 
seeking to broaden the application of the code to all sites, then 
the code appears to infringing the UNCRC Article 13.1 right: 


"The child shall have the right to freedom of expression; this right 
shall include freedom to seek, receive and impart information and 
ideas of all kinds, regardless of frontiers, either orally, in writing 
or in print, in the form of art, or through any other media of the 
child's choice." 


If the child’s choice is to seek information from a news site, or to 
engage with a news site, then that is that child’s right, reiterated 
in Article 17: 


"States Parties recognize the important function performed by the 
mass media and shall ensure that the child has access to 
information and material from a diversity of national and 
international sources, especially those aimed at the promotion of 
his or her social, spiritual and moral well-being and physical and 
mental health. 

To this end, States Parties shall: 

(a) Encourage the mass media to disseminate information and 
material of social and cultural benefit to the child and in 
accordance with the spirit of article 29; 

(b) Encourage international co-operation in the production, 
exchange and dissemination of such information and material 
from a diversity of cultural, national and international sources; 
(c) Encourage the production and dissemination of children's 
books; 

(d) Encourage the mass media to have particular regard to the 
linguistic needs of the child who belongs to a minority group or 
who is indigenous; 

(e) Encourage the development of appropriate guidelines for the 
protection of the child from information and material injurious to 
his or her well-being, bearing in mind the provisions of articles 13 
and 18." 


Requiring compliance with the code for a news site would most 
likely be contrary to Article 17. Article 17(e) does require 
consideration of the protection of the child, and this is factored in 


by news sites when deciding what to publish, in line with 
applicable editorial codes of practice. 


The ICO should give further consideration to the intended 
meaning of ‘relevant’ and pay greater attention to Recital 38 of 
the GDPR, quoted in the section, to focus on the risks to the child 
when using ISS in a more proportionate manner and pay greater 
attention to the rights of society and children in respect of 
freedom of expression and information. 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be "high privacy” by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 
personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children’s data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 


access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 
YES/NO. 


If NO, then please provide your reasons for this view. 


2. Age-appropriate application 
YES/NO. 


If NO, then please provide your reasons for this view. 
3. Transparency 
YES/NO 


If NO, then please provide your reasons for this view. 
4. Detrimental use of data 


YES/NO. 
If NO, then please provide your reasons for this view. 


5. Policies and community standards 
YES/NO. 


If NO, then please provide your reasons for this view. 
6. Default settings 
YES/NO. 


If NO, then please provide your reasons for this view. 
7. Data minimisation 
YES/NO. 


If NO, then please provide your reasons for this view. 
8. Data sharing 
YES/NO. 


If NO, then please provide your reasons for this view. 
9. Geolocation 
YES/NO. 


If NO, then please provide your reasons for this view. 
10. Parental controls 
YES/NO. 


If NO, then please provide your reasons for this view. 


11. Profiling 
YES/NO. 


If NO, then please provide your reasons for this view. 


12. Nudge techniques 
YES/NO. 


If NO, then please provide your reasons for this view. 
13. Connected toys and devices 
YES/NO. 


If NO, then please provide your reasons for this view. 
14. Online tools 
YES/NO. 


If NO, then please provide your reasons for this view. 
15. Data protection impact assessments 
YES/NO. 


If NO, then please provide your reasons for this view. 
16. Governance and accountability 


YES/NO. 


If NO, then please provide your reasons for this view. 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


YES/NO. 
If YES, then please provide details. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details. 
3. Transparency 
YES/NO. 


If YES, then please provide details. 


4. Detrimental use of data 


YES/NO. 


If YES, then please provide details. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details. 
6. Default settings: 
YES/NO. 


If YES, then please provide details. 
7. Data minimisation 
YES/NO. 


If YES, then please provide details. 
8. Data sharing 
YES/NO. 


If YES, then please provide details. 
9. Geolocation 
YES/NO. 


If YES, then please provide details. 
10. Parental controls 
YES/NO. 


If YES, then please provide details. 
11. Profiling 
YES/NO. 


If YES, then please provide details. 
12. Nudge techniques 
YES/NO. 


If YES, then please provide details. 


13. Connected toys and devices 
YES/NO. 


If YES, then please provide details. 


14. Online tools 
YES/NO. 


If YES, then please provide details. 


15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details. 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details. 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 
YES/NO. 
If YES, then please provide your reasons for this view. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide your reasons for this view. 
3. Transparency 
YES/NO. 


If YES, then please provide your reasons for this view. 
4. Detrimental use of data 


YES/NO. 


If YES, then please provide your reasons for this view. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide your reasons for this view. 
6. Default settings 
YES/NO. 


If YES, then please provide your reasons for this view. 
7. Data minimisation 
YES/NO. 


If YES, then please provide your reasons for this view. 
8. Data sharing 
YES/NO. 


If YES, then please provide your reasons for this view. 
9. Geolocation 
YES/NO. 


If YES, then please provide your reasons for this view. 
10. Parental controls 
YES/NO. 


If YES, then please provide your reasons for this view. 
11. Profiling 
YES/NO. 


If YES, then please provide your reasons for this view. 
12. Nudge techniques 
YES/NO. 


If YES, then please provide your reasons for this view. 
13. Connected toys and devices 
YES/NO. 


If YES, then please provide your reasons for this view. 
14. Online tools 
YES/NO. 


If YES, then please provide your reasons for this view. 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide your reasons for this view. 
16. Governance and accountability 


YES/NO. 


If YES, then please provide your reasons for this view. 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

3. Transparency 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
4. Detrimental use of data 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

6. Default settings 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
7. Data minimisation 


YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

8. Data sharing 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

9. Geolocation 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

10. Parental controls 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 


11. Profiling 
YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

14. Online tools 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 

15. Data protection impact assessments 

YES/NO. 


If YES, then please provide details of what you think the 
and how you think they could be overcome. 
16. Governance and accountability 


YES/NO. 
If YES, then please provide details of what you think the 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


challenges are 


and how you think they could be overcome. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

3. Transparency 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

4. Detrimental use of data 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

6. Default settings 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 


indication of what you think a reasonable transition period would be and 
why. 

7. Data minimisation 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

8. Data sharing 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


9. Geolocation 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

10. Parental controls 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

11. Profiling 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


14. Online tools 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

15. Data protection impact assessments 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


16. Governance and accountability 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 


YES/NO. 
If YES, then please provide details (including links). 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details (including links). 
3. Transparency 
YES/NO. 


If YES, then please provide details (including links). 
4. Detrimental use of data 


YES/NO. 


If YES, then please provide details (including links). 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details (including links). 
6. Default settings 
YES/NO. 


If YES, then please provide details (including links). 
7. Data minimisation 
YES/NO. 


If YES, then please provide details (including links). 
8. Data sharing 
YES/NO. 


If YES, then please provide details (including links). 
9. Geolocation 
YES/NO. 


If YES, then please provide details (including links). 
10. Parental controls 
YES/NO. 


If YES, then please provide details (including links). 
11. Profiling 
YES/NO. 


If YES, then please provide details (including links). 
12. Nudge techniques 
Yes 


If YES, then please provide details (including links). 
13. Connected toys and devices 
No 


If YES, then please provide details (including links). 
14. Online tools 
YES/NO. 


If YES, then please provide details (including links). 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details (including links). 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details (including links). 


Q9. Is the ‘Enforcement of this code’ section clearly communicated? 
YES/NO. 

If NO, then please provide your reasons for this view. 

Q10. Is the ‘Glossary’ section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q11. Are there any key terms missing from the ‘Glossary’ section? 
YES/NO. 


If YES, then please provide your reasons for this view. 


Q12. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 
YES/NO. 


If NO, then please provide your reasons for this view. 


Q13. Is there any information you think needs to be changed in the 
"Annex A: Age and developmental stages’ section of the code? 


YES/NO. 


If YES, then please provide your reasons for this view. 


Q14. Do you know of any online resources that you think could be 
usefully linked to from the "Annex A: Age and developmental 
stages’ section of the code? 


YES/NO. 
If YES, then please provide details (including links). 


Q15. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q16. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q17. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


YES/NO. 


If YES, then please provide details (including links). 


Section 2: About you 


Åre you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 


Please specify: 


A child development expert? 


Please specify: 


An Academic? 


Please specify: 


An individual acting in another professional capacity? 


Please specify: L] 
A provider of an ISS likely to be accessed by children? 

Please specify: L] 
A trade association representing ISS providers? 

Please specify: L] 
An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the L] 
public or a parent)? 

An ICO employee? L] 
Other? 

Please specify: 


A media company (News UK & Ireland Limited) 


Robert Streeter, Group Data Protection Officer 


Thank you for responding to this consultation. 


We value your input. 


